Harald Barth | 25 Jul 15:06 2011
Picon
Picon

Re: Heimdal in Lion


The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.

Harald.

PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our
computers.

doug quaid | 25 Jul 09:38 2011
Picon

Disable password change for users via kadmind.acl or other


Hi,
Is it possible to prevent all users from changing their password via kadmin? I am using Heimdal1.2 As far
as I can tell there is no way to do so. I run kadmin as a user,  the 'privileges' command says "none" and 'get'
fails, but I am able to issue the 'passwd' command.I have tried adding joe   get joe to kadmind.acl
with the expectation that joe would only have 'get' privileges but this still does not prevent joe from
changing joe's password.
Is there another way ? 
Thanks 		 	   		   		 	   		  

Stefan (metze) Metzmacher | 24 Jul 17:37 2011
Picon

lib/krb5: Allow any kvno to match when searching the keytab.

Hi Love,

is this patch acceptable for you?

metze
Stefan (metze) Metzmacher | 24 Jul 17:34 2011
Picon

kdc: fix comparision between krb5int32 (int) and unsigned int

Hi Love,

I noticed a regression with this comit:

commit f5f9014c90cdf795867ad336803caf802bac7fed
Author: Love Hornquist Astrand <lha <at> h5l.org>
Date:   Fri Apr 29 20:25:05 2011 -0700

    Warning fixes from Christos Zoulas

    - shadowed variables
    - signed/unsigned confusion
    - const lossage
    - incomplete structure initializations
    - unused code
---
 kdc/krb5tgs.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Casting (int) to (size_t) is wrong.

metze
Stefan (metze) Metzmacher | 24 Jul 17:29 2011
Picon

Set improved enctypes parameter defaults to better match the RFC.

Hi,

is commit f93a56f931e91c7b8eeec83b94015604bbc898f1 of heimdal really
correct?

In Samba we needed to set c->use_strongest_server_key = TRUE in order to get
the same behavior as with heimdal 1.4.

metze

Russ Allbery | 24 Jul 07:49 2011
Picon

Linking with Heimdal on Lion

Lion comes with Heimdal Kerberos libraries and an MIT Kerberos
compatibility shim.  Unfortunately, that shim doesn't implement
krb5_appdefault_*, which breaks the ability to get settings out of
krb5.conf.  I know those functions are available in the underlying Heimdal
libraries (but the calling sequence for the krb5_realm parameter is
different, which is probably why there has to be a compatibility shim).

All my existing configure machinery finds the MIT shim on Lion and
therefore thinks it can call krb5_appdefault_* with the MIT calling
convention, which results in a syslog'd error message and failure.

Does anyone know how I find and link against the actual Heimdal libraries
so that I can detect that I'm using Heimdal, use the appropriate
krb5_realm definition, and call the real krb5_appdefault_* functions?

(I don't have any Mac OS X systems personally.)

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>

Jelmer Vernooij | 22 Jul 14:19 2011
Picon

[PATCH] cf: Also enable pthreads on Linux 3.

From: Jelmer Vernooij <jelmer <at> samba.org>

---
 cf/pthreads.m4 |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/cf/pthreads.m4 b/cf/pthreads.m4
index 7ce7310..209e4f3 100644
--- a/cf/pthreads.m4
+++ b/cf/pthreads.m4
 <at>  <at>  -41,7 +41,7  <at>  <at>  case "$host" in
 	;;
 *-*-linux* | *-*-linux-gnu)
 	case `uname -r` in
-	2.*)
+	2.*|3.*)
 		native_pthread_support=yes
 		PTHREAD_CFLAGS=-pthread
 		PTHREAD_LIBADD=-pthread
--

-- 
1.7.5.4

Linus Nordberg | 17 Jul 11:08 2011
Picon

Replay cache in use?

Hi,

It seems to me that Heimdal has a replay cache (lib/krb5/replay.c) but
that it's not being used.  Is that correct and if so, why is it not
being used?

Thanks,
Linus

Doug Sampson | 9 Jul 01:00 2011

Kerberos implementation in Netatalk

I'm having trouble getting Appletalk users authenticated via KRB5 on a
FreeBSD machine running netatalk in an Active Directory environment
utilizing Windows 2003 domain controllers. I'm seeing these in our afpd
error log:

Jul 07 16:40:00.888509 afpd[7283] {dsi_tcp.c:209} (I:DSI): AFP/TCP
session from 192.168.1.108:49658
Jul 07 16:40:00.889514 afpd[7260] {server_child.c:387} (I:Default):
server_child[1] 7282 exited 1
Jul 07 16:40:00.890376 afpd[7260] {server_child.c:389} (I:Default):
server_child[1] 7283 done
Jul 07 16:40:00.939783 afpd[7284] {dsi_tcp.c:209} (I:DSI): AFP/TCP
session from 192.168.1.108:49659
Jul 07 16:40:00.940199 afpd[7284] {afp_dsi.c:441} (D5:AFPDaemon): <==
Start AFP command: AFP_LOGIN_EXT
Jul 07 16:40:00.940319 afpd[7284] {afp_dsi.c:448} (D5:AFPDaemon): ==>
Finished AFP command: AFP_LOGIN_EXT -> AFPERR_AUTHCONT
Jul 07 16:40:00.940668 afpd[7284] {afp_dsi.c:441} (D5:AFPDaemon): <==
Start AFP command: AFP_LOGINCONT
Jul 07 16:40:00.940690 afpd[7284] {uams_gss.c:549} (D5:UAMS): uams_gss.c
:LoginCont: client thinks user is doug
Jul 07 16:40:00.940708 afpd[7284] {uams_gss.c:152} (D5:UAMS):
get_afpd_principal: fqdn: aries.dawnsign.com:548
Jul 07 16:40:00.940725 afpd[7284] {uams_gss.c:156} (D5:UAMS):
get_afpd_principal: service: afpserver
Jul 07 16:40:00.940764 afpd[7284] {uams_gss.c:198} (D5:UAMS):
get_afpd_principal: importing principal `afpserver <at> aries.dawnsign.com'
Jul 07 16:40:00.942008 afpd[7284] {uams_gss.c:326} (D5:UAMS): acquire
credentials: acquiring credentials (uid = 0, keytab =
/usr/local/etc/afpserver_aries.keytab)
(Continue reading)

Harald Barth | 8 Jul 15:56 2011
Picon
Picon

Compat with MIT kadmin?


First the general question until I dig further: Should the kadmind
from Heimdal be compatible with the kadmin from MIT, for example to
get keytabs on machines with MIT software installed?

On the client side (Scientiffic Liniux 6.0):

# kadmin -p haba/admin
Authenticating as principal haba/admin with password.
Password for haba/admin <at> STACKEN.KTH.SE: 
Warning: Your password will expire in less than one hour on Thu Jan  1 01:00:00 1970
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

:-(

# rpm -qf /usr/bin/kadmin 
krb5-workstation-1.9-9.el6_1.1.i686

I dare to say that my principal does _not_ expire at time zero and
even if I set my passwd exp date to something in the future (instead
of never) it does not help :-(

kadmin> get haba/admin
            Principal: haba/admin <at> STACKEN.KTH.SE
    Principal expires: 2012-04-01 23:59:59 UTC
     Password expires: never
 Last password change: 2009-10-08 17:55:16 UTC
      Max ticket life: 1 day
   Max renewable life: 1 day
                 Kvno: 5
(Continue reading)

Friedrich Locke | 7 Jul 18:20 2011
Picon

mod_auth_kerb with heimdal : i am loosing my hairs and completely desperated for help

Dear list members,

i have a box i setted as a http server. I can log into this machine
via ssh using kerberos ticket (GSSAPI) and by providing directly a
password (that is lookup in my heimdal server).

I would like to let apache password authenticate through heimdal kdc.
So i setted mod_auth_kerb and when i try to access the home page my
web client shows up an authentication window requesting user name and
a password, i provide they both but i cannot authenticate.

What i get from apache logs is:

[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client
189.83.120.119] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client
189.83.120.119] Using HTTP/gustav.cpd.ufv.br <at> UFV.BR as server
principal for password verification
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client
189.83.120.119] Trying to get TGT for user sioux <at> UFV.BR
[Thu Jul  7 13:17:00 2011] [error] [client 189.83.120.119]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client
189.83.120.119] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
authtype=(NULL)

It sounds very strange to me. The message "Cannot contact any KDC for
requested realm" is weird because i can login into this host using
(Continue reading)


Gmane